How is my Ruby on Rails app able to access the database without the password?

1
votes

I'm just getting started with Ruby on Rails. I'm building a Hello World app and I'm using PostgreSQL. I used the following command to create the app:

rails new rails-hw -d postgresql

I created a database user using createuser -s pguser and I set a password.

I edited the development section of the config/database.yml, using the username and password of the user I created. However, it seems that what I use for the password in the database.yml file doesn't matter and my app is always able to access the data in the database. Why is it ignoring the password?

2
ruby-on-railspostgresql
In fact, you can remove the password from database.yml.Sergio Tulentsev

2 Answers

1
votes

Because your current Postgres installation is configured to allow connections from localhost.

Check your pg_hba.conf most likely you'll find something like this:

# TYPE  DATABASE    USER        IP-ADDRESS    IP-MASK             METHOD
host    all         all         127.0.0.1     255.255.255.255     trust

Which basically says "allow all connections for all Postgres users and databases from 127.0.0.1."

More specifics can be found in the docs: http://www.postgresql.org/docs/9.1/static/auth-pg-hba-conf.html (See example 20-1)

0
votes

Take a look at your pg_hba.conf. It will likely contain special treatment for local users (connections from the same machine):

# Database administrative login by Unix domain socket
local   all             all                                     trust

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
# IPv6 local connections:
host    all             all             ::1/128                 trust

See those trust methods there? This is what makes passwords not needed. From the documentation:

When trust authentication is specified, PostgreSQL assumes that anyone who can connect to the server is authorized to access the database with whatever database user name they specify (even superuser names). Of course, restrictions made in the database and user columns still apply. This method should only be used when there is adequate operating-system-level protection on connections to the server.